name: "Helm Charts"
# This workflow provides ability to release helm charts manually
# Should be removed when v2.5 is out of support
on:
  workflow_dispatch:
    inputs:
      release:
        description: Release charts
        required: false
        default: false
        type: boolean
permissions:
  contents: read
env:
  GH_USER: "github-actions[bot]"
  GH_EMAIL: "<41898282+github-actions[bot]@users.noreply.github.com>"
  GH_OWNER: ${{ github.repository_owner }}
  GH_REPO: "charts"
  HELM_DEV: ${{ contains(fromJSON('["pull_request", "push"]'), github.event_name) }}
  GITHUB_APP: "true"
  KUMA_DIR: "."
  CI_TOOLS_DIR: /home/runner/work/kuma/kuma/.ci_tools
jobs:
  package:
    name: Package
    runs-on: ubuntu-latest
    outputs:
      filename: ${{ steps.package.outputs.filename }}
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          fetch-depth: 0
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version-file: go.mod
      - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
        with:
          path: |
            ${{ env.CI_TOOLS_DIR }}
          key: ${{ runner.os }}-${{ runner.arch }}-devtools-${{ hashFiles('mk/dependencies/deps.lock') }}
          restore-keys: |
            ${{ runner.os }}-${{ runner.arch }}-devtools
      - name: Install dependencies
        run: |
          make dev/tools
      - name: package-helm-chart
        id: package
        run: |
          make helm/update-version

          git config user.name "${GH_USER}"
          git config user.email "${GH_EMAIL}"
          git add -u deployments/charts
          # This commit never ends up in the repo
          git commit --allow-empty -m "ci(helm): update versions"
          # To get an idea of what's in the commit to debug
          git show

          make helm/package
          PKG_FILENAME=$(find .cr-release-packages -type f -printf "%f\n")
          echo "filename=${PKG_FILENAME}" >> $GITHUB_OUTPUT
      - name: Upload packaged chart
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
        with:
          name: ${{ steps.package.outputs.filename }}
          path: .cr-release-packages/${{ steps.package.outputs.filename }}
          retention-days: ${{ github.event_name == 'pull_request' && 1 || 30 }}
      # Everything from here is only running on releases.
      # Ideally we'd finish the workflow early but this isn't possible: https://github.com/actions/runner/issues/662
      - name: Generate GitHub app token
        id: github-app-token
        if: github.event.inputs.release == 'true'
        uses: actions/create-github-app-token@f4c6bf6752984b3a29fcc135a5e70eb792c40c6b # v1.8.0
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          repositories: ${{ env.GH_REPO }}
      - name: Release chart
        if: github.event.inputs.release == 'true'
        env:
          GH_TOKEN: ${{ steps.github-app-token.outputs.token }}
        run: make helm/release
